Supplier Onboarding Checklist (UK)

Q: Can I onboard a supplier before due diligence is complete?

Not for anything material. For small one-off purchases, a light identity check is enough. For recurring spend or anything over a few thousand pounds, onboarding completes when the file is complete and the first PO waits for that. Pressure to start work before paperwork is finished is where most onboarding controls fail.

Q: How do I onboard a supplier that's too new to have filed accounts?

Weight the assessment differently. Director history, references, insurance and accreditation evidence carry more weight when the company file is thin. A new company with experienced, clean directors and credible references is a very different proposition from one with directors who have left a trail of dissolved entities.

A practical onboarding checklist for vetting new UK suppliers before the first order.

Onboarding a new UK supplier is the moment your procurement policy stops being a document and starts being a sequence of decisions. This checklist covers what to verify, what to collect, and what to sign before the first purchase order goes out, scaled to the size of the spend in front of you.

TL;DR

Verify identity against Companies House first, using the company number, not the trading name.
Collect insurance certificates, accreditations and two referees before any work starts.
Match financial due diligence to spend tier: light touch under £5k, scored review above £50k, full analyst report above £250k.
Screen for sanctions, modern slavery exposure and (where relevant) data-processor obligations.
Get T&Cs signed against your paper, not theirs, and set payment terms that match your policy.
Record the supplier code of conduct acceptance and keep it with the contract.
Schedule the next review now, before the file goes cold.

Why is supplier onboarding different from supplier due diligence?

Due diligence answers "should we work with them"; onboarding answers "what do we need on file before they start". The two run in parallel but produce different artefacts. Due diligence produces a risk judgement. Onboarding produces a folder: signed contract, insurance certificates, bank details verified, code of conduct accepted, payment terms agreed, system records created.

If you want the deeper view of the assessment side, the supplier due diligence guide covers what good looks like. This page is the operational checklist that sits alongside it.

How do I verify the supplier is who they say they are?

Start at Companies House. The two-minute version: search the registered name, confirm the company number, check the registered office matches what you've been told, and read the current officers and PSC. A trading name on a quote is not an entity; the company number on the Companies House register is.

The full set of identity checks before you create a supplier record:

Companies House number — recorded on the supplier master file, used on every PO.
Registered office address — matches the address on the quote, or the difference is explained.
VAT registration — verified via HMRC's free VAT checker if the supplier is charging VAT.
Trading name vs registered name — if they differ, both are recorded.
PSC and officers — read once, noted, flagged if anything is unusual (sole director with multiple recent dissolutions, nominee-style structures, very recent incorporation against a large quoted contract).
Bank details verified out of band — bank account name confirmed via a phone call to a known number, never via the email that sent the invoice. This single step prevents most invoice-redirection fraud.

The Companies House checks explained guide walks through each filing type if you want the deeper read.

What credentials should I collect before the first order?

Insurance, accreditations and references. Get them on file before you raise the PO, not after the work has started and you have no leverage.

Public liability insurance — certificate with current dates, cover level appropriate to the contract. Most UK B2B buyers expect a minimum of £5m; construction and FM often require £10m.
Employer's liability insurance — legally required for any UK supplier with employees, minimum £5m by statute. A supplier who can't produce a current EL certificate within 24 hours is telling you something.
Professional indemnity — for any supplier giving advice or designing things. Levels vary by sector; £1m is a common floor for smaller professional services.
Product liability — for anyone selling physical goods that end up with your staff or customers.
Sector accreditations — SIA for security, CHAS or Constructionline for construction, Cyber Essentials or ISO 27001 for IT, ICO registration for anyone handling personal data, FCA authorisation for regulated financial services. Verify on the issuing register, not the logo on their website.
Two named referees — recent clients of similar size and scope, with direct phone numbers. Call them. The information from a five-minute reference call is often worth more than the rest of the file combined.

How much financial due diligence does this supplier actually need?

It depends on the spend, the criticality and the size of the supplier. A sensible default for a mid-market UK buyer:

Under £5,000, one-off: confirm the entity exists, isn't being struck off, has filed accounts in the last 18 months. Ten minutes.
£5,000 to £50,000, or recurring: a full public-record pass. Accounts, directors, PSC, charges, CCJs, sector register if relevant. Documented, dated, filed.
£50,000 to £250,000, or multi-year: add a scored bureau report or analyst review. Take and check references. Insurance and accreditation evidence on file.
Over £250,000 or business-critical: full analyst-reviewed report, video or site visit, named referee calls, and explicit sign-off from the budget owner.

The trap is running the heavy version on every supplier (it doesn't scale) or only running it on the named big ones (the long tail of small suppliers often adds up to more spend than the headline contracts). Write the tiering down and apply it consistently.

For reading the accounts themselves, how to check if a company is financially stable walks through the signals worth weighing. Director-level checks live in director history checks — phoenixing and serial failure are visible in the file if you look for them.

What legal and compliance checks should sit in the onboarding file?

A small set of yes/no checks that protect you against statutory and reputational risk:

Sanctions screening — the UK consolidated sanctions list (HM Treasury OFSI) for the entity and its named directors. Free, fast, mandatory exposure if you skip it and the supplier is listed.
Modern slavery statement — required by statute for suppliers with turnover over £36m, and a reasonable ask of any supplier providing labour. If you publish a statement of your own, you need to be able to defend the supply chain behind it.
Anti-bribery position — for any supplier exposed to public-sector work or operating in higher-risk jurisdictions. A signed acknowledgement of your anti-bribery policy is the minimum.
GDPR / data processor agreement — if the supplier will process personal data on your behalf (payroll, recruitment, IT support, marketing platforms, anyone with login access to systems holding personal data), a written data processor agreement is required under UK GDPR Article 28. Check ICO registration on the ICO register.
Right-to-work and contractor-status checks — for suppliers providing individuals to work on your site, IR35 status and right-to-work evidence sit with the supplier but should be confirmed in writing.

The red flags in supplier financials guide covers the financial warning signs, but legal compliance is its own checklist. A clean balance sheet doesn't excuse a missing data processor agreement.

What commercial terms need to be agreed before the first PO?

Get the paperwork right at the start. Renegotiating after the relationship is live is harder than getting it right before.

T&Cs on your paper — your purchase terms, not their sales terms. The "last shot doctrine" in English contract law means whichever set was sent last typically governs; suppliers know this, which is why their terms arrive on the back of the order acknowledgement. Send yours with the PO.
Payment terms — written, agreed, and aligned with your standard policy (most UK mid-market buyers run 30 days end of month). The Reporting on Payment Practices regime requires large businesses to publish their actual payment performance every six months, so don't agree to terms you won't meet.
Pricing and rate card — fixed for a defined period, with a written mechanism for change. "Subject to increase" is not a mechanism.
Liability cap and indemnities — appropriate to the contract value and risk. Suppliers often propose a cap at the value of fees paid in the prior 12 months; for high-risk work, that's rarely enough.
Termination rights — notice period, termination for convenience, termination for cause, and what happens to data and work in progress on exit.
Supplier code of conduct — signed acknowledgement on file. This is the document that pulls modern slavery, anti-bribery, data protection, environmental and ethical expectations into one place and ties the supplier to them contractually.

What does ongoing review look like?

Onboarding is the start of the relationship, not the end of the diligence. The minimum cadence for a mid-market UK buyer:

Material suppliers (top 20% by spend, or business-critical): annual review. Re-pull Companies House, re-check insurance certificates (which expire), re-take references for anything where the scope has materially changed, and refresh the financial review.
All other contracted suppliers: review at renewal. The renewal is the natural prompt; if there isn't one, set a calendar reminder for the contract anniversary.
Ad-hoc triggers: a director leaves, ownership shifts, a Gazette notice appears, the supplier asks to renegotiate payment terms, or the press writes something about them. Any of these means re-running the file before you renew or extend.

Most supplier failures are visible in filings weeks or months before they become a crisis. The way to catch that is to look again, on a defined cadence, against the same checklist you used at onboarding.

How does this look for specific sectors?

Some verticals carry failure modes a generic onboarding pack will miss. Facilities management suppliers run on thin margins and TUPE-heavy contracts; the insurance and accreditation evidence matters more than the headline numbers. Construction and IT services carry their own deeper checks. The vertical pages on Vendrpulse cover the sector-specific signals worth adding to the standard pack.

FAQ

Can I onboard a supplier before due diligence is complete?

Not for anything material. For very small one-off purchases, a light identity check is enough to raise the PO and let the work proceed. For recurring spend or anything over a few thousand pounds, the answer is no: onboarding completes when the file is complete, and the first PO waits for that. The pressure to start work before paperwork is finished is where most onboarding controls fail.

What's the single most important check in supplier onboarding?

Verifying bank details out of band, against a phone number you have independently confirmed. Invoice-redirection fraud is the most common, highest-value loss in UK procurement, and it is prevented almost entirely by one phone call. Nothing else on the checklist saves you money as reliably.

Do I need a written contract for every supplier?

For anything over the threshold your finance team has set (commonly £5k or £10k), yes. Below that, a PO with your standard terms attached is usually enough. The question to ask is whether you'd be comfortable defending the arrangement in front of a court or an auditor with only the email trail you currently have.

How do I onboard a supplier that's too new to have filed accounts?

You weight the assessment differently. Director history, references, insurance and accreditation evidence carry more weight when the company file is thin. A new company with experienced, clean directors and credible references is a very different proposition from a new company with directors who have left a trail of dissolved entities. The director history checks guide covers what to read.

What if the supplier refuses to sign our T&Cs?

That is itself a data point. Negotiation is normal; flat refusal on standard terms is unusual for legitimate suppliers of mid-market size. Find out what specifically they object to, and whether the objection is reasonable. If it is, agree the variation in writing. If it isn't, the question is whether you have an alternative supplier.